I only managed to reproduce this on DRT (it does not happen on TestShell nor Chromium). I should try it on The test tests the following: assert(classList[-1] === undefined); assert(classList[-1] === undefined); However, the second call incorrectly triggers the indexed getter which should return null for UInt32 that are larger than the length - 1. Why this happens on the second call is a mystery to me. I haven't been able to get a debugger attached to DRT. I would really appreciate some help from someone with some V8 binding foo.

Is it flaky? It looks 100% fail. http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=class-list.html&useWebKitCanary=true

(In reply to comment #1) > I only managed to reproduce this on DRT (it does not happen on TestShell nor Chromium). I should try it on > > The test tests the following: > > assert(classList[-1] === undefined); > assert(classList[-1] === undefined); > > However, the second call incorrectly triggers the indexed getter which should return null for UInt32 that are larger than the length - 1. Why this happens on the second call is a mystery to me. I haven't been able to get a debugger attached to DRT. What is the platform? > > I would really appreciate some help from someone with some V8 binding foo. Is it the exact JS code which triggers the problem? v8 might compile different code if the code is in a loop, for example. If you could send a minimal test case in JS with instructions how to run it, I'll try to debug it on my box. I'd try to see (with printf unless there will be found the way to attach a debugger) the whole stack: how v8 invokes the callback (we should go either via runtime or small compiled stub). In any event, Erik, feel free to ping me on IM, I'd be glad to help.

Created attachment 69050 [details] Test case

(In reply to comment #4) > Created an attachment (id=69050) [details] > Test case It looks empty

This happens on all platforms according to http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=class-list.html&useWebKitCanary=true I only managed to repro this using DRT and it works as expected on TestShell and Chromium (I'm on a Mac).

(In reply to comment #5) > (In reply to comment #4) > > Created an attachment (id=69050) [details] [details] > > Test case > > It looks empty You need a build from yesterday or you'll see script errors. However I managed to reproduce this with MediaList. I'll add another test that shows the same bug with a media list.

Created attachment 69052 [details] Another related test This shows that MediaList has the same indexed getter bug in DRT as DOMTokenList.

It's actually V8 issue. The cure should be on the way: http://codereview.chromium.org/3520006/show

https://code.google.com/p/v8/source/detail?r=5553 committed to bleeding_edge, should reach Chromium ToT early next week (if everything goes smooth). r5554--5556 brings the fix to various v8 branches and should eventually go into Chrome 7 and maybe even Chrome 6. Erik, may you check if this fixes the issue and close the bug if it's the case?

I verified that the fix works.